by 安全扫描
OpenClaw
安全
high confidenceThe skill's code, runtime instructions, and external endpoints are consistent with its stated purpose (finding MBUSA dealers and inventory); it does not request credentials or broaden scope beyond vehicle/dealer lookups.
评估建议
This skill appears to do exactly what it says: query MBUSA APIs and return dealer/inventory data with clickable links. Before installing or running it: 1) Confirm you trust the source (owner ID is present but homepage is missing). 2) If you plan to run the included server, run npm install only in an isolated environment and be aware it will pull express and its transitive dependencies from the npm registry. 3) Expect queries (zip codes) to go to MBUSA servers — do not send sensitive personal dat...详细分析 ▾
✓ 用途与能力
Name/description, SKILL.md, schema.json, and source code all align: the code queries MBUSA endpoints (nafta-service.mbusa.com) and returns dealer/inventory fields described in the manifest. No unrelated services, binaries, or credentials are requested.
✓ 指令范围
SKILL.md restricts actions to dealer and inventory searches and explicitly asks for Markdown-formatted links. The implementation only calls MBUSA APIs and constructs Google Maps/website/image links. The instructions and code do not read local files, environment secrets, or transmit data to unexpected third-party endpoints.
ℹ 安装机制
The skill is declared instruction-only (no install spec), which is low-risk; however repository files (package.json, package-lock.json, server.js) indicate this can also run as a standalone Node/Express service and has a dependency on express. There's no downloaded/obfuscated third-party URL or archive in the install spec. If you intend to run the server, you'll fetch npm packages from the registry — standard but worth noting.
✓ 凭证需求
No environment variables, credentials, or config paths are required. The skill does not attempt to access unrelated secrets or system configuration. The only network targets are MBUSA domains and Google Maps URLs (for directions).
✓ 持久化与权限
Skill flags are default (always: false, user-invocable: true, disable-model-invocation: false). The skill does not request persistent system privileges or modify other skills. It exposes optional local HTTP endpoints if run as a server, which is normal for an included tool but should be run with standard host/network caution.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.0.62026/4/7
- Removed Google Maps URLs from the output data and documentation for both dealer and inventory results. - Updated documentation to reflect the new data returned (no more Google Maps URLs) for get_mbusa_dealers and get_mbusa_inventory. - No functionality changes to filtering or data retrieval—output and documentation are now aligned.
● 无害
安装命令
点击复制官方npx clawhub@latest install mercedes-benz
镜像加速npx clawhub@latest install mercedes-benz --registry https://cn.longxiaskill.com